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C^RALFAXCEMTER 
Intwnet Security Systems, Inc. - 08286-105041 QCT 2 5 200^ 

Draft Claim Amendment to be Sent to Examiner for Telephonic Ititcrvicw . 
US. Patent Application Serial No. 09/642,625 
Inventor Peter A. J. Vsd Der Made 
Filed: August 18^2000 
Computer Immnne System and Method for Detecttatg XJowanted Code in a Computer 

System 

I. (Currently Amended) A method for identifying presence of malicious code in program 
code witlua a computer system, the method comprising: 

initiflliging building a new virtual machine within the computer system fry affSigW^^g frg?^ 
physical memory, to. a memo TV airav.each.time a target Dioaram is to bc CXggtttPO.- ftO memotY . - 
array ftmcrioning afi memory for the virtual machine, the virmal machine conaptising a CftTTiplgt? ^> 
virtual personal computer (PC) implemented by software simulating functionality of a central 
proce«sing unit, [[and]} memory^ [[and]] a virtual operating system si m u l ating ftmctionality of a 
muld-tfareaded operating system of the computer system, inuut/outout WO) ports. BIOS 
fiimware. and data areas for the virtual opaatine system; 

virtually executing [[a}] ttie target piogram within the virtual PC so that the target 
program interacts only with an instance of the virtual operating system; 

analyzing behavior of the target program upon completion of virtual execution to identify 
an occurrence of malicious code behavior based \3pan an evaluation by die virtual machine of ft 
behavior pattern representing infbtmation about all functions simulated by the target progriuii- 
during virtual execution; and 

terminating the virtual PC after the analysting process, thereby removing from die 
con^uter system a copy of the target program that was contained within the virmal PC so that 
the executed target ptoflr am cannot affect performance of later executed prosranas. 
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U, (Currently Amended) A method for identifying presence of malicious code in 
program code within a coII^7Uter system, the method con^)r3s^ng: 

initializing a virtual machine within the computer system, the virtual machine conqntising 
software simulating functionality of a central processing unit and memory and a virtual operatins 
system simulating functionality of a multi-threaded operating system of the computer system; 

virtually executing a target program with the virtual machine so that ttie target program 



CD 



intCTBcts with an instance of the virtual operating system rather than with the operating system of fTI 
the computer system, whereby the malicious code is flilly executed during virtual execution of —4 
the target program if tite target program coo^rises the malicious code; 

gen^ating a bdjavior pattiem for &e tugef progfaiii ^ tracldrig fimcticms pg fohned and 
not pcrfonned bv the target PiQgfam with flaes in a fadhavior pa ttern field and bv tracking a 
sequence in which the functions are called bv the target program with the behavior pattern -field 
in order to collect information about all functions simulated by the target program during virtual . 
execution; and 

terminating the virtual machine upon completion of the virtual execution of the target 
program, leaving behind a record of the behavior pattern diaJ is representative of operations of 
the target program with the computer system, including operations of the malicious co^ if the 
target program comprises the malicious code. 
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18. (Cttrreotly Amooded) A memofy storage device comprising comptrter-oxecutable 
stqjs for id«atifyiag the presence of malicious code in ptogram code m a computer system, 
comprising: 

initiolieitig building a ^ virtual machine for the con^uter system by asg^finins 
physical memory to a memory anav each time a ta rget program i& to be cKecnted. the memory 
array fimctioning as memory for the virtual machine, the virtual machine coroptisiiig a ggmBletg 
virtual personal computer (PC) implemented by software simulating functionality of a centra) 
processing unit^ [[and]] memory^ [[and]] a virtual operating system simulating fijnctionality of a 
multi-threaded operuting system of the computer systfem, input/output a/0> ports, BIOS 
' • fiimvyarg. gtd Haft^ fity.i*« ffir the virfai^ yrM^ne avstan: 

executing a target program within the virtual PC so that the target program completes a 
virtual execmion by interacting only with an instance of the virtual operatirig sys^^ 

generating a behavior pattern by oon^leting virtual ^eciUion of tiie target program 
within the virtual PC, the behavior pattern representative of operational ftmctiona con^ileted by 
the target program during virtual execution, including st least one of virtual opeiating system 
calls, Input/Output functions and program functions supported by the torget program; 

upon conq)letion of virtual execution, operating the virtual machine to compare the 
behavior pattern generated by virtual execution of the target program to a behavior pattern 
representative of operations by the malicious code to identify an occurrence of malicious code 
behavior, and 

in the event that the comparison process results in a match representing an identification 
of malicious code behavior by the target program, then identifying the target program as 
comprising the malicious code. 

19. (Currwitly Amended) The memory storage device of Claim 18 ftnther comprising 
the computcr'cxecutable step of removing the target program ftom the computer system in 
response to an identi6cation of the target program comprising malicious code so that the target 
program cannot agect the nerformance of subsequent programs executed by the computer 
system . 
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20. (Curmrtly Amended) A memory storage device compriang conqiutor-executable 
steps for identifying the pre&enoe of malicious code in program code in a computer system, 
compiising: 

cxecutijig a target program within a virtual pcreonaJ computer (PO so that the target 
program completes a virtual execution by interacting only with an instance of a virtual opmting 
system, the virtual PC compriang software operative to sixnulate fimctioruJity of a processor and 
memory, the virtual operating system operative to simulate fimctionality of a muM-threaded 
operating system for the computer system, the virtual PC and the virtual operatmg system ^ 
operating in combination to form' a virmal machine; 

" ' collecting information about the behavior of the target program during virtual execution 
rtf fatytf pmgram hv the virtufll machine bv traclone fiin cdons nerfoTmed and not ngrformed 
bv the target program with flags in a b ehftviftr pp**em field and bv tracking a sequence ik which 
the fiiActions are called bV tfie target program with th e behavior pattern field in order to create a 
record of virtual operadons of the target program, whereby the record reflects a plurality of 
operations of the malicious code if the target program comprises the malicious code; 

upon completion of virtual execution of the target program, analyzing the record with the . ' 

viitual'inachine to idmtify an occurrence ofmahcious code behavior by coinparing the record to 
a behavior pattern rqnresentativc of the operations performed by die malicious code; and 

in the event that the record matches the malicious code behavior^ then identifying the 
target program as comprising the malicions code. 

2 1 . (Cuiretftly Amended) The memory storage device of Claim 20 fixrther comprising 
the computer-executable step of removing the target program fbom the computer system in 
response to an identification of the target program comprising malicious code so that the target 
program cannot affect performance of subsequent programs executed bv (he computer system . 
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22. (Currently Amended) A conqwta-m^lemcntcd method for identifying a 
presence of malicious code in program code for a computer system, comprising the steps; 

h^\\^ [n^ a new virtual machine for the c om puter system bv flSsiftamB physical 
^^ynU fffv to a memory aTrav each time a target progrsm ia to bft gXWltf^ tt^y m^Wf W^Y 
fiim^tiomng as memory for the virtual machine: 

virtually executing [[a]] M taigfft program within [[a]] fee virtual machine con^sing a 
complete virtual personal computer (PC) implemeiUed by software operative to simulate 
functionality of a processor, [(and]] memoiy. [[and]] a virtual operating system havh^ software 
simulating functionality of a multi-threaded operating system for the computer syston. 
■ " . ' inpUt/o^t WO) ports. BIOS firmware ; md da^'areas for the virtwaV ^atihf SYfftgmi wherein 
virtual execution of the target program comprises interactions with an ijostancc of the virtual 

operating sj^tem; azul 

; creating a rocoMofallfimcdonssimukted by the target program during virtual 

, of the target program by the virtual machine, the record comprising a beliavior pattern 

representative of the behavior of the target program as if it were executed on the computer 

systoro, the behavior pattern comprising characteristics of malicious code behavior in the event 

that the target program comprises the maHcious code. 

, 25. (Currently Amended) The computer-inq>lemcntcd method of Claim 24 further 
contusing the step of removing the target program &om the computer system in response to an 
identification that the target program comprises the malicious code so that the target nrogram 
cannot affect performance of subseouent programs executed bv the computer SVStcm. 
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26. (Cujtiently Amended) A memory storage device compriaitig computer-exccu 
steps fot identifying the presence of malicious code in program code in a compater system, 
comprising: 

executing a target program within a virtual personal oopiputer (PC) so that the target 
program con^iletes a virtual execution by intcractjng only with an instance of a viitual operating 
system, the virtual PC comprising software operative to simulate ftmctionality of a processor and 
memory, the virtual operating system operative to sinmlate functionality of a multi-threaded 
operating system for the computer system, the virtual PC and the virtual operating system 
operating in combination to form a virtual machine; 

wUecting information stbovx the bcfaavibr of the target program- in tosponse to virtual 
execution ofthe target program by the vhtual machine; - . 

in response to completing virtual execution of the target program, collecting infoitnation- 
about interrupt call operations that call any interrupt service routine modified by the virtual 
execution of the target program; 

creating a record bv traddng functions pe rfonned and not performed bv the target 
~ PToeram with flags in a beh avior pattern field and bv trackiiie a sccmcncc in which the fimctiPM 
are called bv the target prog ram with the behavior pattem field, the functions comiwising thg 
interrupt call operations, the record comprising the infonnation collected about the virtual 
execution of tiie target program and the interrupt call operations diat call any interrupt service 
routine modified by the virtual execution ofthe target program; . > 

analysing the record to identify an occurrence of malicious code behavior by comparing 
the record to a behavior pattern representative of tht operations .performed by the malicious 
code; and 

in the event that the record matches the malicious code behavior, -then identifying the 
target program as comprising the malicious code. 

27. (Currently Ammded) The memory storage device of Claim 26 further comprising 
the computer-executable step of removing the target program torn the congjuter system in 
response to an identification that the target program comprises malicious code so that the target 
pmpntwi cflYtf^n^ aflft^ t Performance of subsequent programs executed bvthe computer system . 
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28. (Currently Amended) The meniory storage device of Claim 26, wherein the step 
of coUcctins information about the behavior of the target program in response to virtual 
execution of the target program comprises storing bits that corre5i>ond to the flags in a behavior 
pattern rftgiatef, ^ h g hehavior pattern register pro viding memorv for the behavior pattern fie^4. 
storing of the bits being oompleted in response to monitoring operating system calls, interrupts 
and I/O port read/write operations completed by the victual machine. 

TO 
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29, (Currently Amended) A memory storage device comprising coiiq)uter-cxecmablc 
steps for identifying the presence of malicious code in ptogram code in a computer system, 
comprising: 

i nitiiiliging building a fi£W virtual machine for the computer system by mmm frwh 
Physical memory to a m emory array each time a target program is to be executed, the memory 
array ftmctioning as memory for the virtual machine, the virtual machine compristng a cowmlete 
virtual personal computer (PC) implemented by software simulating functiooaUty of a. centra! 
processing unit, [[and]] memory* [[and]] a virtual operating system simulating ftmetionality of a 
multi-threaded operating system of the computer system, input/outout (J/O^ ooits. BIOS . 
"fimiwme. and data areas for the virtual ooeratihg svstqnirt.ll ~ 

the initializing step comprising the steps of extracting the file structure of [[a]] ^ target . 
program and loading the target program into the soibvare-aimulated memory of the virtual ?C; 

executing a target program within the virtual PC so that the target program completes a . 
virtual execution by interacting only with an instance of the virtual operating systc^^ 

gtserating a behavior pattern by cotttpleting virtual execution of tiie entire code of the 
target program within the virtual PC, the behavior pattern representative of a sequence of 
operationBi fbnctions con^>leted by the ta^et program during virtual execution, including at least 
one of virtual operating system calls* Input/Output functions and program Hmctiotts supported by 
the target program; 

upon completion of virtual execution, operating die virtual machinft to compare the 
behavior partem generated by virtual execution of the target program to a behavior pattern 
representative of operations by the malicious code to identify ah occurrence of malicious code 
behaviori and 

in ^e event that the comparison process results in a match representing an identification 
of malicious code behavior by the target program, then identifying the target program as 
comprising the malicious code. 

30. (Currently Amended) The memory storage device of Claim 29 jEtoh^ coti^OTSing 
the computer-execut&hle step of removing the target program from the computer system in 
respcmse to an identification that the target picgram comprises malicious code so that tfac target 
program camiot affect performance of subseanent programs ex ecuted by the conrouter system . 
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